ocp-disco-install-materials/10-quay-tmp-fixes.yml

---
# These are the temporary tasks needed on workstation before classroom build is finished.
- name: Fixes required on utility VM.
  hosts: utility.lab.example.com
  become: yes
  gather_subset: min
  tasks:
# XXX DONE XXX    # Fixing the DNS first.
# XXX DONE XXX    - name: add ocp4.example.com hosts to /etc/hosts
# XXX DONE XXX      become: yes
# XXX DONE XXX      ansible.builtin.lineinfile:
# XXX DONE XXX        path: /etc/hosts
# XXX DONE XXX        mode: 0644
# XXX DONE XXX        regex: "{{ item.hostname }}"
# XXX DONE XXX        line: "{{ item.addr }} {{ item.hostname }}"
# XXX DONE XXX        state: present
# XXX DONE XXX      loop:
# XXX DONE XXX        - addr: 192.168.50.40
# XXX DONE XXX          hostname: idm.ocp4.example.com
# XXX DONE XXX        - addr: 192.168.50.50
# XXX DONE XXX          hostname: registry.ocp4.example.com
# XXX DONE XXX        - addr: 192.168.50.10
# XXX DONE XXX          hostname: master01.ocp4.example.com
# XXX DONE XXX        - addr: 192.168.50.11
# XXX DONE XXX          hostname: master02.ocp4.example.com
# XXX DONE XXX        - addr: 192.168.50.12
# XXX DONE XXX          hostname: master03.ocp4.example.com
# XXX DONE XXX        - addr: 192.168.50.13
# XXX DONE XXX          hostname: worker01.ocp4.example.com
# XXX DONE XXX        - addr: 192.168.50.14
# XXX DONE XXX          hostname: worker02.ocp4.example.com
# XXX DONE XXX
# XXX DONE XXX    - name: Ensure dnsmasq is installed.
# XXX DONE XXX      ansible.builtin.yum:
# XXX DONE XXX        name:
# XXX DONE XXX          - dnsmasq
# XXX DONE XXX          - dnsmasq-utils
# XXX DONE XXX        state: present
# XXX DONE XXX
# XXX DONE XXX    - name: Ensure dnsmasq is listening on all interfaces
# XXX DONE XXX      ansible.builtin.lineinfile:
# XXX DONE XXX        path: /etc/dnsmasq.conf
# XXX DONE XXX        mode: 0644
# XXX DONE XXX        regex: "^interface=(.*)$"
# XXX DONE XXX        line: '#interface=\g<1>'
# XXX DONE XXX        backrefs: yes
# XXX DONE XXX
# XXX DONE XXX    - name: Ensure dnsmasq is enabled and running.
# XXX DONE XXX      ansible.builtin.systemd_service:
# XXX DONE XXX        name: dnsmasq
# XXX DONE XXX        enabled: yes
# XXX DONE XXX        state: started
# XXX DONE XXX
# XXX DONE XXX    - name: Ensure DNS is open in the firewall.
# XXX DONE XXX      ansible.posix.firewalld:
# XXX DONE XXX        immediate: yes
# XXX DONE XXX        permanent: yes
# XXX DONE XXX        zone: "{{ item }}"
# XXX DONE XXX        service: dns
# XXX DONE XXX        state: enabled
# XXX DONE XXX      loop:
# XXX DONE XXX        - external
# XXX DONE XXX        - public

    - name: Ensure idm is in ocp4.example.com zone.
      ansible.builtin.lineinfile:
        path: /var/named/ocp4.example.com.db
        regex: '^idm[[:space:]]'
        insertafter: '.*IN NS dns\.ocp4\.example\.com\.$'
        line: 'idm      IN A 192.168.50.40'
      notify:
        - fix forward zone serial
        - restart named

    - name: Ensure idm is in ocp4.example.com reverse zone.
      ansible.builtin.lineinfile:
        path: /var/named/ocp4.example.com.reverse.db
        regex: '^40[[:space:]]'
        insertafter: '.*IN NS dns\.ocp4\.example\.com\.$'
        line: '40  IN PTR idm.ocp4.example.com.'
      notify:
        - fix reverse zone serial
        - restart named

    - name: Ensure utility allows forwarding traffic from external to public/trusted zones.
      ansible.builtin.copy:
        dest: /etc/firewalld/policies/fwd-stud-to-ocp.xml
        mode: 0644
        owner: root
        group: root
        content: |
          <?xml version="1.0" encoding="utf-8"?>
          <policy target="ACCEPT">
            <ingress-zone name="external"/>
            <egress-zone name="public"/>
            <egress-zone name="trusted"/>
          </policy>
      notify:
        - reload utility firewalld
  handlers:
    - name: reload utility firewalld
      ansible.builtin.service:
        name: firewalld
        state: reloaded

    - name: fix forward zone serial
      ansible.builtin.lineinfile:
        path: /var/named/ocp4.example.com.db
        regex: '.*; serial$'
        line: "                {{ ansible_facts['date_time']['year'] }}{{ ansible_facts['date_time']['month'] }}{{ ansible_facts['date_time']['day'] }}00"

    - name: fix reverse zone serial
      ansible.builtin.lineinfile:
        path: /var/named/ocp4.example.com.reverse.db
        regex: '.*; serial$'
        line: "                {{ ansible_facts['date_time']['year'] }}{{ ansible_facts['date_time']['month'] }}{{ ansible_facts['date_time']['day'] }}00"

    - name: restart named
      ansible.builtin.service:
        name: named
        state: restarted

- name: Fix registry VM configuration.
  hosts: registry.ocp4.example.com
  become: yes
  gather_facts: no
  tasks:
    - name: Ensure eth1 interface is in public zone.
      ansible.builtin.firewalld:
        zone: public
        interface: eth1
        immediate: yes
        permanent: yes
        state: enabled
      notify:
        - reload registry firewalld

# XXX DONE XXX    #- name: Ensure registry is using bastion as the DNS
# XXX DONE XXX    #  community.general.nmcli:
# XXX DONE XXX    #    conn_name: "System eth1"
# XXX DONE XXX    #    dns4: 172.25.250.254
# XXX DONE XXX    #    state: present
# XXX DONE XXX    #  notify:
# XXX DONE XXX    #    - bounce eth1

  handlers:
    - name: reload registry firewalld
      ansible.builtin.service:
        name: firewalld
        state: reloaded

# XXX DONE XXX    #- name: reload connections
# XXX DONE XXX    #  listen: bounce eth1
# XXX DONE XXX    #  ansible.builtin.command: nmcli con reload
# XXX DONE XXX
# XXX DONE XXX    #- name: take eth1 down
# XXX DONE XXX    #  listen: bounce eth1
# XXX DONE XXX    #  ansible.builtin.command: nmcli con down "System eth1"
# XXX DONE XXX
# XXX DONE XXX    #- name: bring eth1 up
# XXX DONE XXX    #  listen: bounce eth1
# XXX DONE XXX    #  ansible.builtin.command: nmcli con up "System eth1"
...